9a1b80ead0fa10e53a13affeed7a77084d8b73767b6a9251090610711d67a2d7

Analysis

max time kernel
183s
max time network
184s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Prestige-5-Client-Mod-Fabric-1.20.1.jar
Size

10.1MB
MD5

d6733cb22b3b56510c627c4a570cd2bd
SHA1

02765ac17adb12d5f3a7ae3d3c96499a65f2afb3
SHA256

9a1b80ead0fa10e53a13affeed7a77084d8b73767b6a9251090610711d67a2d7
SHA512

b542e97bb545c971d0ecea0d601cdc4fa4eab39c5e4f624f5d14ed69e0dd3739533c5c25ad49a1ec353b97831a49e17074f69caff5d6ef8467d0f9305cb4313e
SSDEEP

196608:OIEBkSFcJ7r3zgcKAAowGxj1sIHcVWip8jUyOYE3vWcTFZbKifZH+XF9/GK:OIEBkCcVjHAhGt1pHcVTuLEfJxZbFfZQ

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1072	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	taskmgr.exe
Token: SeShutdownPrivilege	1648	LogonUI.exe
Token: SeShutdownPrivilege	1648	LogonUI.exe
Token: SeSecurityPrivilege	1124	winlogon.exe
Token: SeBackupPrivilege	1124	winlogon.exe
Token: SeSecurityPrivilege	1124	winlogon.exe
Token: SeTcbPrivilege	1124	winlogon.exe
Token: SeShutdownPrivilege	1648	LogonUI.exe
Token: SeShutdownPrivilege	1648	LogonUI.exe
Token: SeShutdownPrivilege	1648	LogonUI.exe
Token: SeShutdownPrivilege	1648	LogonUI.exe
Token: SeShutdownPrivilege	1648	LogonUI.exe
Token: SeSecurityPrivilege	1124	winlogon.exe
Token: SeBackupPrivilege	1124	winlogon.exe
Token: SeSecurityPrivilege	1124	winlogon.exe
Token: SeShutdownPrivilege	1648	LogonUI.exe
Token: SeSecurityPrivilege	1124	winlogon.exe
Token: SeBackupPrivilege	1124	winlogon.exe
Token: SeSecurityPrivilege	1124	winlogon.exe
Token: SeShutdownPrivilege	1648	LogonUI.exe
Token: SeShutdownPrivilege	1648	LogonUI.exe
Token: SeShutdownPrivilege	1124	winlogon.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe
1072	taskmgr.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 1648	608	csrss.exe	37
PID 608 wrote to memory of 1648	608	csrss.exe	37
PID 1124 wrote to memory of 1648	1124	winlogon.exe	37
PID 1124 wrote to memory of 1648	1124	winlogon.exe	37
PID 1124 wrote to memory of 1648	1124	winlogon.exe	37
PID 608 wrote to memory of 1648	608	csrss.exe	37
PID 608 wrote to memory of 1648	608	csrss.exe	37
PID 608 wrote to memory of 1648	608	csrss.exe	37
PID 608 wrote to memory of 1648	608	csrss.exe	37
PID 608 wrote to memory of 1648	608	csrss.exe	37
PID 608 wrote to memory of 1648	608	csrss.exe	37
PID 608 wrote to memory of 1648	608	csrss.exe	37
PID 608 wrote to memory of 1648	608	csrss.exe	37
PID 608 wrote to memory of 1648	608	csrss.exe	37

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Prestige-5-Client-Mod-Fabric-1.20.1.jar
1⤵
PID:2308

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1780

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1072

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1740

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1648

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-12-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1072-13-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1072-14-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2308-2-0x00000000025E0000-0x0000000002850000-memory.dmp

Filesize
2.4MB

Download
memory/2308-11-0x00000000025E0000-0x0000000002850000-memory.dmp

Filesize
2.4MB

Download
memory/2308-10-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download